From owner-freebsd-ipfw  Thu Apr  6 14:25: 9 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from MailAndNews.com (MailAndNews.com [199.29.68.160])
	by hub.freebsd.org (Postfix) with ESMTP id EDF5C37BAC0
	for <freebsd-ipfw@FreeBSD.ORG>; Thu,  6 Apr 2000 14:25:01 -0700 (PDT)
	(envelope-from mheffner@mailandnews.com)
Received: from muriel.penguinpowered.com [208.138.199.92] (mheffner@mailandnews.com); Thu, 6 Apr 2000 17:24:48 -0400
X-WM-Posted-At: MailAndNews.com; Thu, 6 Apr 00 17:24:48 -0400
Content-Length: 3756
Message-ID: <XFMail.20000406172423.mheffner@mailandnews.com>
X-Mailer: XFMail 1.4.4 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <20000406165628.C4198@cc942873-a.ewndsr1.nj.home.com>
Date: Thu, 06 Apr 2000 17:24:23 -0400 (EDT)
Reply-To: Mike Heffner <spock@techfour.net>
From: Mike Heffner <mheffner@mailandnews.com>
To: cjclark@home.com
Subject: Re: Problems with natd
Cc: freebsd-ipfw@FreeBSD.ORG, Mike Heffner <spock@techfour.net>
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On 06-Apr-2000 Crist J. Clark wrote:
  | 
  |> ipfw rules:
  |> 
  |> 00010 176 14949 count log ip from any to any
  |> 00015  24  2634 allow ip from any to any via lo0
  |> 00100   0     0 allow ip from any to any via ep0
  |> 00200   6   248 divert 8668 ip from any to any via ed0
  |> 00300  57  6332 allow ip from any to any
  |> 65535   1    28 deny ip from any to any
  | 
  | Wide open for testing, good. One thing I'm curious about, and I really
  | don't know if this has anything to do with the problem, is why the
  | 'count' rule does not sum up to all of the rules below it.

Hrm, not quite sure. I had just added the count so that I could see what
packets were being passed through ipfw (it was the only rule i could think of
to just log the packet but pass it to the next rule...). I never usually
use count at all, so I've never noticed that problem...

  | 
  |> $ ifconfig -a
  |> ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
  |>         inet a.b.c.d netmask 0xffffff00 broadcast 255.255.255.255
  |                                                     ^^^^^^^^^^^^^^^
  | Is that the real value or did you mask that?
  | 

Well, I use dhcp (dhclient) to get the address for the cable modem line, looks
like the dhcp server is returning that as the broadcast, or that dhclient is
screwing up somehow. It's especially strange since the netmask doesn't go with
that broadcast address. I've tried manually changing the broadcast back to the
proper a.b.c.255, but it doesn't seem to change anything.

  | 
  |> Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
  |>            [TCP] a.b.c.d:1026 -> e.f.g.h:21
  |> Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
  |>            [TCP] a.b.c.d:1026 -> e.f.g.h:21
  |> Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
  |>            [TCP] a.b.c.d:1026 -> e.f.g.h:21
  |> Out [TCP]  [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to
  |>            [TCP] a.b.c.d:1026 -> e.f.g.h:21
  |> 
  |> 
  |> [ a.b.c.d == my ip address
  |>   e.f.g.h == an internet server ip ]
  | 
  | Hmmm... NOT what one expects. It does not look like anything is ever
  | coming back. My first inclination would be to guess that there is a
  | firewall rule blocking setups on port 21 in front of natd's divert
  | rule, but if your output above is accurate, this is not the case.
  | 
  | If you were not getting ICMP packets back, I would guess that
  | something at or behind your coax modem was not routing properly. Does
  | a tcpdump show the same thing as the natd log for the TCP connection
  | attempt? Of course, there is always the question, maybe e.f.g.h is
  | dropping attempts at 21?

Yes, that's why I'm nearly 100% sure this is natd related. Tcpdump shows the
same output, packets are going out but never returning. And no, e.f.g.h isn't
dropping ftp traffic, because when I remove the natd divert rule, I can ftp,
telnet, etc into e.f.g.h perfectly. This is also not restricted to just
e.f.g.h and ftp, it occurs with all hosts and all traffic except ICMP (ftp,
telnet, dns, ...). 

My only guess is that somehow natd, or something related, is shitting on the
packet causing it to be dropped by a router as an invalid packet. Although,
looking at tcpdump output everything seems to be fine on the surface, haven't
done a full packet dump yet though. I am going to see if I can get root (with
permission =) on someone's box and run tcpdump to see if the packets are even
getting to their machine AT ALL.

-Later

/****************************************
 * Mike Heffner <spock@techfour.net>    *
 * Fredericksburg, VA      ICQ# 882073  *
 * Sent at: 06-Apr-2000 -- 17:02:50 EST *
 * http://my.ispchannel.com/~mheffner   *
 ****************************************/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message